CVE-2026-53289
Fecha de publicación:
26/06/2026
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ice: fix NULL pointer dereference in ice_reset_all_vfs()<br />
<br />
ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().<br />
When the VSI rebuild fails (e.g. during NVM firmware update via<br />
nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,<br />
leaving txq_map and rxq_map as NULL. The subsequent unconditional call<br />
to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in<br />
ice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].<br />
<br />
The single-VF reset path in ice_reset_vf() already handles this<br />
correctly by checking the return value of ice_vf_reconfig_vsi() and<br />
skipping ice_vf_post_vsi_rebuild() on failure.<br />
<br />
Apply the same pattern to ice_reset_all_vfs(): check the return value<br />
of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and<br />
ice_eswitch_attach_vf() on failure. The VF is left safely disabled<br />
(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can<br />
be recovered via a VFLR triggered by a PCI reset of the VF<br />
(sysfs reset or driver rebind).<br />
<br />
Note that this patch does not prevent the VF VSI rebuild from failing<br />
during NVM update — the underlying cause is firmware being in a<br />
transitional state while the EMP reset is processed, which can cause<br />
Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This<br />
patch only prevents the subsequent NULL pointer dereference that<br />
crashes the kernel when the rebuild does fail.<br />
<br />
crash> bt<br />
PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"<br />
#0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee<br />
#1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba<br />
#2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540<br />
#3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda<br />
#4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997<br />
#5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595<br />
#6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2<br />
[exception RIP: ice_ena_vf_q_mappings+0x79]<br />
RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206<br />
RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000<br />
RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000<br />
RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040<br />
R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000<br />
R13: 0000000000000010 R14: R15:<br />
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br />
#7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]<br />
#8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]<br />
#9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]<br />
#10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4<br />
#11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de<br />
#12 [ff72159bcfe5bf18] kthread at ffffffffaa946663<br />
#13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9<br />
<br />
The panic occurs attempting to dereference the NULL pointer in RDX at<br />
ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).<br />
<br />
The faulting VSI is an allocated slab object but not fully initialized<br />
after a failed ice_vsi_rebuild():<br />
<br />
crash> struct ice_vsi 0xff34c9efc27d4828<br />
netdev = 0x0,<br />
rx_rings = 0x0,<br />
tx_rings = 0x0,<br />
q_vectors = 0x0,<br />
txq_map = 0x0,<br />
rxq_map = 0x0,<br />
alloc_txq = 0x10,<br />
num_txq = 0x10,<br />
alloc_rxq = 0x10,<br />
num_rxq = 0x10,<br />
<br />
The nvmupdate64e process was performing NVM firmware update:<br />
<br />
crash> bt 0xff34c9edd1a30000<br />
PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"<br />
#0 [ff72159bcd617618] __schedule at ffffffffab5333f8<br />
#4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]<br />
#5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]<br />
#6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]<br />
#7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]<br />
#8 <br />
---truncated---
Gravedad: Pendiente de análisis
Última modificación:
30/06/2026